19. September 2010 · Comments Off on How risky is the ‘Padding Oracle’ Crypto Attack? · Categories: Security-Compliance, Vulnerabilities · Tags: ,

ThreatPost reported that a pair of security researchers announced have implemented an attack that exploits the way that ASP.NET Web applications handle encrypted session cookies. ‘Padding Oracle’ Crypto Attack Affects Millions of ASP.NET Apps | threatpost.

Microsoft admitted the vulnerability in Microsoft Security Advisory 2416728.

The question is, how likely is this vulnerability going to be exploited in the millions of ASP.NET web sites? According to a post on Slashdot.org:

…this attack requires fairly verbose error messages be sent back to the user of a web application. While I’m sure there do exist some ASP sites where this is the case, I don’t think it has been in any of the non-intranet sites I’ve seen in my career.

It just is not standard in any exposed web site, especially the kind of web site where you would care about customer information getting out, to allow useful error messages reach the end user. It is by far the standard to catch the exceptions, log them on the server, and show the end user a generic error message which would not be helpful in the case of this exploit.

So it appears that the risk of exploitation of this vulnerability depends on the coding practices of the web site developers. Good coding practices, not so risky.